You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

They have declared me clean from any malware or infection. Further details can be found in that post, but to summarize:

When I first log in to my PC, I get connections via Svchost(NetworkService) to a few IP addresses including an addr.btopenworld, 104.16.93.188, 93.184.220.20, 93.184.220.29, comodoca.crl, apps.digsigtrust and one to securenet. The most data received seems to be from the 93.184.220.20 or 93.184.220.29.. A connection to a google registered IP also occurs. The connections also occurred when connecting to Steam and when Premiere Pro or other adobe products were transmitting usage data. It also occasionally does it while I use chrome. I used Process Explorer and the service within Network Service that was making the connections was CryptSvc.

My work PC makes a connection like the ones described above when it boots up, though its to akamai. My brothers computer also had many of the same connections that mine did. So now I want to actually know what is causing these checks? I am on Window 7N, my connection is BT using a TP-Link adapter and a router.

I am not sure. I mean they the malware forum declared my PC clean, and nothing strange has happened on it. I would just like to know why it makes connections to these IP's, usually while reading my CrypnetURLCache. I think another one of the IP addresses was 192.35.177.64. I just want to finally know why it needs to do this is all

So I understand that this behavior is normal. but why these IP's specifically? What causes the checks and why does it read the cache? Does the CDN of my IP have something to do with it? If this is not the correct forum to ask this on, please say so, that I might take this query to the right place.

If you want to know what program app or service is establishing a connection you can run a command..

Go to start run or search and type cmd right-click run as administrator. Type netstat -bano

Running that you should see a list of established connections the IP address, service or .exe file that is connecting & PID number. Now with the PID number you can investigate further hit ctrl+shift+esc to open task manager. Under details tab lookup running processes that match that PID. Right-click the service and you can get more options to open file location, properties to check digital signatures if it is a legit app etc.

Hi technonymous. As I said in the post body, I know what svchost is making these connections and the service, its CryptSvc. All run under system. The malware team have assured me its nothing dodgy, so now I just want to know why its making these connections

Well CrytpSvc in particular is just a update service from Microsoft that does routine checks on many Trusted Root Certification Authority certificates in your cert manager. This is to insure that those root certificates installed on your pc are up to date and valid/signed. Many certs may only be valid for a year. Some may have been revoked because the root keys have become compromised and the update is connecting to uploading a current one. It is a important and critical service. If a root cert is compromised then your online session to banking, and web services, data etc over a encrypted Secure Socket Layer SSL/TLS 1.2 may not be safe.